CVE-2025-3248

CriticalKnown Exploited

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated…

VulnCheck·CWE-306·Published 2025-04-07

CVSS

9.8

EPSS

1.00

KEV

Yes

Exploits

cve.orgen

202 chars

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

NVDen

202 chars

OSV.deven

202 chars

GHSAen

201 chars

NVDes

236 chars

Las versiones de Langflow anteriores a la 1.3.0 son susceptibles a la inyección de código en el endpoint /api/v1/validate/code. Un atacante remoto no autenticado puede enviar solicitudes HTTP manipuladas para ejecutar código arbitrario.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Primary	cve.org	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0	Secondary	GHSA	9.3	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A